If Kron PAM has been running with a software-based master key, the database contains DEK records encrypted under that key. Simply switching kron.crypto.keyProvider to hsm without migrating those records would leave Kron PAM unable to decrypt them - it would look for them in the HSM, which does not have the software key.
The correct process is to use the DEK Rotation Utility (dek-rotator.jar) to re-encrypt every DEK record. The tool reads each DEK from the database, decrypts it using the current (software) master key, re-encrypts it using the HSM master key, and writes the updated record back. The process is atomic per record and can be interrupted and resumed.
Run dek-rotator.jar only on the master Kron PAM instance. Do not execute it on replica or standby nodes. Running it concurrently on multiple nodes risks database corruption.
Execute the tool, pointing it at the Netright properties file:
[pamuser@KronPAM_Instance]# java -jar dek-rotator.jar /pam/gui/netright/netright.properties
The tool displays a warning and then presents a menu. Read the warning carefully - this tool modifies every DEK record in the database. Ensure you have a recent database backup before proceeding. Select option 2-) Migrate master key to HSM to migrate the master key to HSM:
WARNING: BE CAREFUL WHILE USING THIS TOOL. IT WILL UPDATE ALL T_DEK
RECORDS IN THE DATABASE BY ENCRYPTING THEM WITH THE NEW MASTER KEY.
Menu:
1-) Renew master key
2-) Migrate master key to HSM
3-) Migrate master key from HSM
0-) Exit
Choose an option: 2
Enter current master key: [enter existing software master key]
The tool will process all DEK records and confirm when migration is complete. After it exits successfully, update security.properties to activate the HSM provider:
kron.crypto.keyProvider = hsm